Using X.509 Cert. subject and issuer for authorization with EAP-TLS

Arnaud Ebalard arno at
Tue Apr 8 14:13:32 CEST 2008


>From my understanding (don't hesitate to correct me), the authorization
step being done before the authentication step (for the purpose of
selecting the allowed authentication method), it does not seem possible
to use attributes from the X.509 Certificate provided by the client for
the purpose of authorization (it comes too late).

I expected I would be able to extract the information from the client
Cert during authentication and make it available for Post-Auth in
order to decide what to do in a more precise manner (change attribute,
reject, ...).

The main idea is to be able to put users from unknown subtrees of my
PKI in some guest VLANs by pushing specific attribute to the NAS (a
switch or AP). Known users would be put in a specific VLAN associated
with their profile. Other users would be rejected.

After looking at the source code, I decided to define some specific
vendor attributes that I would expect to have only a local meaning (not
seen on the cable but infered from the TLS exchange) but I basically
failed to see how to do the following *properly*:

- where to store the information grabbed in the SSL callback,
- how to make that information usable in a transparent fashion for
  Post-Auth modules like rlm_files, ... 
- how to force a reject and not only change attributes, ...

Thanks for your time. Don't hesitate if you have questions. 



More information about the Freeradius-Devel mailing list